Compare & Troubleshoot DNS Servers: dnseval

The third tool out of the DNSDiag toolkit from Babak is dnseval. “dnseval is a bulk ping utility that sends an arbitrary DNS query to a given list of DNS servers. This script is meant for comparing response times of multiple DNS servers at once”. It is not only listing the response times but also further information about the DNS responses such as the TTL and the flags. Really great for comparison and troubleshooting different DNS forwarders as well as own authoritative DNS server responses as seen by others.

With this big list I can check many different DNS problems as shown below:

A Picture is worth a Thousand Words

Have a look at the following sample output from dnseval and all the information you can gather out of it. (If you are not familiar with the DNS header flags, have a look here.) I queried the FQDN
fg.weberdns.de which I have on my own authoritative DNS servers. That is I can check whether all of these DNS servers are able to reach out my own authoritative ones:

Validating DNSSEC

As already mentioned not all public DNS servers are validating DNSSEC. Google does but OpenDNS or my ISP don’t. When querying
sigfail.verteiltesysteme.net , a false DNSSEC FQDN, no server should reply. But those do: